The Center for Democracy and Technology's April 2000 statement on P3P
acknowledges some facts about P3P that we can all agree on:

that P3P is not going to provide general privacy protection for Internet
users

that it limits itself to informing users about stated privacy policies
of the web sites they visit

that P3P does not imply any enforcement method for the data collection
agreement between users and web sites

that in the absence of some type of regulation or law there is no basis
for consumer protection

There are still a number of areas where we disagree, many of which are
covered in my original paper on P3P and the FAQ on data privacy that I
authored for CPSR. Among these are:

that the language for P3P for describing privacy policies is both impoverished
and deceptive

that P3P intermingles transactional data (i.e. your delivery address) and
marketing data (your date of birth and gender), which is again a typical
deception on the part of marketers

that the scope of P3P, that is its limitation to immediate Web site interaction,
renders it virtually useless

that it contains assumptions about the need to gather personal information
that cannot be supported

that it states erroneously that users will have viable choices between
sites based on privacy statements

What it comes down to, however, is that I have fundamental, philosophical
differences with CDT and the other developers of P3P. They aren't about
the details of what P3P does or doesn't do, they are about whether P3P
should exist at all. This is why we will never be in agreement, and I will
never do as they call for at the end of their document, ... So I want to
take a look at some of those basic differences and make them explicit as
part of my criticism of P3P.

Personal Data and the Web

CDT states that personal data collection is a necessary part of the web
experience: "... with anonymity or pseudonymity a person would be hard
pressed to be involved in the full diversity of interactions occurring
on the Internet."

Is this really the case? What activities on the WWW require you to give
out information about yourself? We aren't talking here about communicating
with friends over e-mail, or even participating in chats or newsgroups.
We are talking only about visiting web sites, which is what the P3P protocol
pertains to. (This in itself is artificially limiting as we have seen with
incidents involved RealAudio and Comet cursors, where programs downloaded
off of the Internet contained tracking devices but were not covered by
the privacy policy of the web site.) Here are the situations that I can
imagine where the collection of your personal data is required for participation
in the WWW:

Purchasing a product online. In this case, you must give your name, your
credit card number, the address that is associated with that credit card
number, and the delivery address. Under some circumstances, it may be necessary
to contact you about the purchase, and most vendors will prefer to telephone
or e-mail you rather than write a letter, so you will probably need to
supply one or both of those contact methods.

Right, that's it. There are many other situations where you have to establish
an identity of some kind, such as in online support forums sponsored by
vendors. In some cases you interact using an e-mail address, which although
it may be pseudonymous it is likely that your identity could be established
from that information. But if we are talking about giving out your personal
data, that is the information that identifies, describes and locates you
in the real world, then there are very few interactions on the Web that
depend on your real life identity and coordinates.

The fact is, however, that the purchase situation above is not the main
interaction that is being addressed by P3P. Nor is it the primary way that
data about is being gathered on the Web by sites that you visit. "Visit"
is the key phrase here: most data is being gathered about you when you
visit web sites, not when you make purchases or engage in any activity
other than merely looking at the site. The current revenue model on the
Net is the same advertising model that applies to commercial television,
commercial radio, and magazine publishing: these products exist to deliver
advertising to what in e-commerce is chillingly referred to as "eyeballs."

This reference to Web users as disembodied orbs, millions of virtual
Santa Lucias, stands in contrast to the warm invitations to "join" a site's
inner group of members or to personalize a site as your own online home.
Users are not explicitly asked to give up their data for the purposes of
marketing, they are offered "services" that were often devised purely as
a way to get users to reveal information about themselves. Those personal
services exist not because online users asked for them nor are they the
only possible options for providing shortcuts to frequently visited sites;
they exist solely as a way to gather data for marketing.

The personalization that a typical portal site allows is really a disguised
selection between sponsors. The site allows you to choose among its shopping
services or its news categories (e.g. stocks, sports); this establishes
a basic profile of interests. Then you type in your zip code so that your
local weather will appear on the page; now they have your geographical
location. You can also type in your date of birth so that your daily horoscope
will be included on the page; now they have your age as well as a data
element that, combined with other information, can at times be used to
identify you in other databases. You may also be able to add your own links
the page but it is possible that the randomness of these links makes them
virtually useless for the marketing function. All that matters is the selection
that you make from within the advertising profile that the site supports.

That some users may find these personalized sites convenient or appealing
does not make them necessary, nor does it justify the invasion of privacy
that this personalization makes possible. Is the gathering of personal
information necessary to the function? Not at all. Any Web user with a
certain amount of technical skill can create a page for herself that links
to news, local weather, and other information resources of interest. And
any site on the Net could provide personalized pages but not use the information
for anything other than delivering those sites to users. The use of the
profiles of these pages for commercial purposes has nothing to do with
the technology of the Internet and everything to do with economic models.

Note that should P3P come into use the sites will have to reveal that
the information about profiled members is used "to customize the site"
and for "research and development." Yes, the gathering of data about customers
for the full range of marketing and product development is called "research
and development."

Having a Choice

"As privacy advocates, we believe that -- armed with more information --
individuals will seek out companies that afford better privacy protection."

This statement in the CDT document is hopeful but entirely unfounded.
It makes the assumption that there are equivalent services on the Web that
differ only in their privacy policies. There are two reasons why this is
unlikely to be true. The first is that if the revenue model of the sites
is that of being supported by advertisers, no site will be able to afford
a significant amount of privacy compared to another. Even for sites that
are mainly used for purchases, the sites that gather data for advertisers
will be able to offer the lower prices. In the P3P model, choosing to give
up more personal data for a lower price on goods is the definition of an
"informed choice," and this is the kind of choice that we can expect people
to be given. None of the choices will be to maintain ones privacy. As a
matter of fact, if there is no great variation in the choices offered by
sites, the impact of a protocol like P3P will be nil.

The other reason that choices are and will be limited on the Web is
that information services tend to be unique. Because of the nature of intellectual
property and copyright, there is generally only one outlet for an information
resource. This is something that is often missed even by economists when
they discuss the market model in an information environment. If I want
to read the New York Times online but don't like their privacy practices,
it doesn't do me any good to read another newspaper instead. My choice
is simply to give up my personal data or to not get the product. In the
case of the Times it is fortunately available off-line through newsstands
where I can purchase it and read the articles anonymously. In the case
of information resources that are only available electronically, I have
no alternative format.

CDT is right that reaction of consumers about the most egregious of
privacy invasions does have an impact on industry. But the day-to-day trickle
of our data into the banks of direct marketers is the basis for the economy
of the Net. If we rebel against that we have to develop some other model
for supporting the Net infrastructure. Companies are pouring millions of
dollars each year into their web sites, most of which are bringing in no
revenue other than that provided by advertising. We can perhaps haggle
about some of the details but it has been well-established that the connection
between our virtual selves and our potential as consumers is the economic
basis of the current version of the Internet. The question for us, therefore,
is whether this is the Net we want and if we can create other options.

While it may seem overly idealistic to suggest that we could reinvent
the Web with a different revenue model, there are good reasons to do so.
There are reasons why the advertising revenue model is not the best one
for our communications and information systems. Advertising works well
for some products and for entertainment because these are promulgated appropriately
through popularity, and advertising is entirely about making things popular.
Information does not lend itself to the popularity contest model. Because
it is hard to judge what information will be useful in the future we don't
want only today's best-selling information to survive. Ideas don't kill
each other off the way that "winning" products eliminate their rivals.
A successful idea needs the unsuccessful ones to explain itself and continue
its existence. And in our liberal world we expect the unpopular ideas to
remain in circulation at least in libraries and academic environments where
they can be constantly reassessed for validity.

If you need a popular product, information and ideas are not what you
should be pushing. It's easy to see why the Web has become more of an entertainment
center over the years since the privatization of the Internet, as compared
to the information intense resources that were available when the Internet
was non-profit and publicly funded. We can't expect the current model to
support non-entertaining information services yet our information resources
are increasingly digital and therefore need the Internet (or something
very similar) as their delivery vehicle. We are in a bit of a pickle, no
question about that, but the privatized Internet does not seem to be the
answer to these particular needs. Since my field and my interest is in
information services not entertainment, I am not content with this aspect
of today's Web.

Is Any of This Really Necessary?

P3P is not a technical standard like XML or HTML 4.0. It is not about how
the Net works. It addresses the current economics of the Net which are
separate from the technology. As a matter of fact, the basic technology
of the Web hasn't changed since 1990, yet the addition of P3P to the web
protocols would have seemed nonsensical in 1992 or even 1994. It is appropriate
that P3P is under the W3C category "Technology and Society," because it
really is about a technological approach to a social issue. Although it
would be implemented in the Web technology it is more about that economic
model than it is about the structure of the Web and how it functions.

What P3P does represent is a tacit acceptance of the great increase
in the tracking and monitoring of our minor activities that takes place
over the Web. I say that it is an acceptance of this monitoring because
it is designed to allow Web users interact within that environment, rather
than trying to change the environment into one where the monitoring would
not take place.

P3P and the assumptions behind the protocol tell us a lot about the
Web and the kind of activities that take place there. P3P is clearly designed
for an interaction between strangers, one of whom may decide not to continue
the relationship based on the privacy policy or privacy desires of the
other. An interaction that will be broken over the issue of privacy policy
is probably a very thin interaction to begin with, with limited goals.
The idea that a privacy policy will make or break a web site is a statement
about the contentlessness of the web. If the site has something
that people need, really need, many will visit it regardless of the site's
privacy policy. We already make this decision in our offline interactions:
we give up our privacy in order to obtain a driver's license, to purchase
a home, to enroll in an educational program. We also give up some amount
of privacy to speak out in public, to sign petitions for or against causes,
to run for office.

There is concern about the privacy implications of these offline interactions
but we perceive something different about the privacy invasions that take
place over the Web. Part of the difference is that the requests for our
personal data are not part of essential services, so there is very little
justification for our loss of privacy on the Web. We might understand that
property ownership requires us to identify ourselves to the community,
but we are less willing to give up our privacy in order to see a weather
report on our screens or listen to music over the Internet. It's not just
that we are losing our privacy but that we can see no social justification
for the information that is being gathered. It is notable that the same
Net community that went wild over the idea that Lotus would market a CD
ROM with personal data for marketing purposes did not take up the rallying
cry against the giving their information to the 2000 U.S. Census. For all
that the Net has a reputation of being a haven for privacy absolutists,
there does seem to be some discernment that takes place.

Solutions for Privacy

How hard is it to protect the privacy of Internet users? It doesn't require
complicated protocols. The first solution for maintaining privacy on the
Web is to avoid giving out information about ones self. This means not
signing up for personalized pages, not becoming a member of any site. For
those who wish to participate in online forums or sign up for some services
they can create a pseudonym and use an account created on a free e-mail
service as their return address. For an even more secure identity, the
company Zero-Knowledge will provide five untraceable identities that can
be used for all kinds of Net interactions.

Because much of the tracking of site visitors is done through cookies,
control of cookies is a vital part of maintaining privacy. The main Web
browser programs, Netscape and Internet Explorer, have limited cookie controls
built into them: they allow users to accept all cookies, reject all cookies,
or be asked to make a decision for each cookie. None of these options works
well, however. If you reject all cookies there are some sites that you
will not be allowed to access; if you examine each cookie before accepting
it you will be so bombarded with pop-up windows that it will be nearly
impossible to surf the Web at all (some sites will attempt to send as many
as thirty cookies before giving up). The best solution is to install one
of the many "cookie cutter" programs that allows you to profile what cookies
you do and don't accept and to easily delete any cookies that you have
received in the past. This allows you to accept cookies from site you do
trust and where you wish to maintain a relationship, such as a technical
support site that keeps track of open problem reports through a cookie
identity, and to automatically reject cookies from marketing companies
like DoubleClick.

It is interesting to note that these more privacy-oriented cookie controls,
although not at all complex as a technology, are not available in the browsers
themselves. Had they been included in the primary Web browsers and been
in wide use over the last five years, the Net would be different to what
it is today in terms of personal privacy. We have to conclude that the
developers of browsers made a conscious decision not to include privacy-oriented
cookie controls because it might interfere with the economic model of many
Web sites, including their own. It is also significant that the P3P privacy
policy interaction relates solely to the immediate Web page that is visited.
This means that P3P does not include the gathering of data through banner
ad cookies and thus ignores the vast majority of privacy invasions on the
Web.

Educating Web users to these two very simple methods of maintaining
their privacy would not only mean privacy gains for users but it might
even begin to change the nature of the Web by giving users some real choices.